Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on SecureIoTOffice.world →

On April 22, 2026, CISA, the FBI, the NSA, and intelligence agencies from the United Kingdom, Australia, Canada, and New Zealand published a joint advisory with a message that every organization running connected office equipment needs to read: China-linked threat groups are actively building covert attack networks out of compromised small office and home office routers, IoT devices, and smart infrastructure — and they have been doing so at scale for years.

The advisory, titled “Defending Against China-Nexus Covert Networks of Compromised Devices,” covers two specific groups: Volt Typhoon and Flax Typhoon. Both are assessed to be operating with support from or on behalf of Chinese state interests. Both have been caught using the same fundamental technique: compromise a large number of edge devices — the routers, cameras, NAS boxes, and smart sensors that sit at the boundary of corporate and home networks — then route attack traffic through them to make it look like normal internet activity originating from legitimate businesses.

This is not a theoretical threat. It is happening right now, and the devices being compromised are the same ones sitting in your office network.

What the Advisory Actually Says

The joint advisory — document AA26-113A on the CISA website — details how China-nexus groups have transitioned away from dedicated attack infrastructure toward what intelligence agencies call “covert networks of compromised devices.” The operational logic is straightforward: if your attack traffic originates from a legitimate small business router in the target country, it is far harder for defenders to detect, block, or attribute.

The devices being compromised are not exotic. They include:

  • SOHO routers — Cisco, Netgear, Asus, TP-Link, D-Link devices, particularly end-of-life models no longer receiving security updates
  • IoT sensors and controllers — building automation equipment, smart HVAC units, environmental monitors
  • IP cameras — including Hikvision and Dahua devices with known vulnerabilities
  • Network-attached storage — Synology, QNAP, and Western Digital NAS units
  • Smart office equipment — connected printers, video conferencing endpoints, access control panels

Once compromised, these devices are enrolled into what intelligence agencies describe as “operational relay box” networks. The attacker routes their actual traffic through the compromised device, using its legitimate IP address as a hop point. From the perspective of any network defender looking at connection logs, the traffic appears to originate from an ordinary business in the same country as the target.

Volt Typhoon: Pre-Positioning for Disruption

Volt Typhoon is the group that received widespread attention in 2023 when Microsoft and CISA disclosed that it had been present inside US critical infrastructure networks — power grids, water systems, telecommunications — for months or years without detection. The goal, assessments concluded, was not immediate data theft but pre-positioning: establishing persistent access that could be activated to cause disruption in the event of a military conflict over Taiwan.

The group’s primary tool was the KV Botnet, a network of compromised Cisco and Netgear routers, predominantly end-of-life models. Traffic from Volt Typhoon operations passed through these devices, making it appear to originate from small US businesses.

The FBI disrupted the KV Botnet in early 2024, but the April 2026 advisory makes clear that Volt Typhoon’s underlying approach — using compromised edge devices as operational relay infrastructure — has not changed. The group has rebuilt and continued operating.

The specific concern with Volt Typhoon and smart office environments is that operational technology and building management systems connected to enterprise networks represent exactly the kind of pre-positioned access the group seeks. A compromised HVAC controller or smart lighting system that shares network connectivity with enterprise systems is a potential persistence point.

Flax Typhoon: Systematic IoT Exploitation at Scale

Where Volt Typhoon focuses on critical infrastructure pre-positioning, Flax Typhoon has operated a broader IoT compromise operation. The group’s primary vehicle was the Raptor Train botnet, which by 2024 had infected over 200,000 devices worldwide. The FBI disrupted Raptor Train in September 2024, but — again — the advisory confirms the underlying operation continues.

What is significant about Flax Typhoon is the systematic nature of its IoT compromise approach. According to the advisory, the group has worked with Chinese private sector security companies to identify, exploit, and maintain access to large numbers of internet-facing IoT devices. This is not opportunistic exploitation — it is industrialized infrastructure development.

The 2026 advisory specifically identifies Integrity Technology Group, a Beijing-based company, as having controlled the Raptor Train botnet infrastructure. This is a named attribution to a private Chinese company acting in support of state intelligence objectives. It reflects a broader pattern that intelligence agencies have now documented across multiple China-nexus groups: the outsourcing of botnet infrastructure development to ostensibly private cybersecurity firms.

For organizations running smart office environments, Flax Typhoon’s pattern is directly relevant. The botnet specifically targeted:

  • Consumer and small business routers
  • IP surveillance cameras
  • Smart home and building automation hubs
  • Network video recorders
  • Internet-exposed NAS devices

If any of these categories of devices exist on your network — and in a modern smart office, most of them do — you are operating exactly the type of equipment these groups target.

Why This Matters More for Smart Offices Than Traditional Networks

The conventional framing of Volt Typhoon and Flax Typhoon as threats to critical infrastructure — power grids, water treatment, ports — can cause enterprise security teams to underestimate the relevance to their own environments. The reasoning goes: we are a mid-sized professional services firm, not a utility. Why would Chinese intelligence care about us?

The answer is that these operations are not primarily about your data. They are about building covert network infrastructure that routes through your devices to reach other targets.

Your office router, if compromised, becomes a relay point for attacks against organizations in the same city, sector, or supply chain. Your IP cameras become observation points or traffic relay nodes. Your building automation equipment — if it has internet connectivity, which a growing number of smart building systems do — becomes a foothold into your network that can be used to move laterally or establish persistence for future operations.

There is also the supply chain dimension. Professional services firms, technology companies, and enterprises of all kinds serve as vendors to larger organizations, including defense contractors, government agencies, and critical infrastructure operators. Compromising a mid-sized firm’s network edge is often a stepping stone to reaching the actual high-value targets through trusted network relationships.

The advisory is explicit about this: the covert relay networks are used for both espionage and pre-positioning for potential disruptive operations. Every compromised device contributes to both capabilities.

The End-of-Life Device Problem

One thread that runs through every technical analysis of Volt Typhoon and Flax Typhoon operations is the central role of end-of-life devices. The KV Botnet was predominantly made up of Cisco and Netgear routers that had passed their vendor-supported end-of-life dates. The Raptor Train botnet similarly targeted devices no longer receiving firmware updates.

End-of-life devices are attractive targets for exactly the reasons you would expect: they have known, unpatched vulnerabilities, and their owners have no path to remediation because the vendor no longer releases security patches.

In a typical enterprise environment, the problem is concentrated at the network edge and in IoT deployments. Core infrastructure — servers, firewalls, switches — tends to be on vendor support contracts with active patch management. Edge devices — the router in the branch office, the IP camera installed during the 2019 office fit-out, the environmental sensor in the server room — often are not.

A 2026 Cisco survey found that 36% of organizations reported compromised IoT or OT devices linked to wireless security incidents. Many of those compromises start with unpatched firmware on devices that organizations assumed were low-risk because they are “just” a camera or “just” a router.

The joint advisory recommends that organizations:

  1. Inventory all internet-facing devices — particularly SOHO routers, cameras, NAS devices, and IoT sensors
  2. Identify end-of-life devices and replace them, rather than attempting to harden them
  3. Disable unnecessary internet exposure — building automation, cameras, and smart office systems that do not require direct internet access should not have it
  4. Segment IoT and OT devices from enterprise networks so that a compromised device cannot be used for lateral movement
  5. Monitor for unusual outbound traffic — compromised relay nodes generate characteristic traffic patterns that appear in network flow data

The NCSC’s Specific Technical Guidance

The UK’s National Cyber Security Centre, which co-authored the joint advisory, published supplementary technical guidance that is worth reading in full. The NCSC’s guidance focuses on detection, and makes several points that apply directly to smart office environments.

First, the NCSC notes that the relay networks are specifically designed to blend with legitimate traffic. Detection requires looking at behavioral patterns — unusual connection frequencies, traffic to unexpected destinations, devices communicating with peers outside their normal operational profile — rather than simply blocking known-bad IP addresses.

Second, the guidance highlights that factory-reset does not reliably remove persistence from compromised devices. Some of the implants used in these operations survive factory reset by targeting firmware storage or using persistent configurations that are restored on reboot. For devices assessed to be compromised, replacement is recommended over remediation.

Third, the NCSC recommends that organizations assess their supply chain exposure — specifically, whether IoT or network equipment in their environment was sourced through channels that could have introduced pre-compromised devices. This is a separate risk from post-deployment exploitation and one that is harder to detect through network monitoring alone.

What to Do Now

If your organization runs a smart office with connected devices — which at this point describes almost every modern office — the April 2026 advisory provides clear direction.

Immediate actions:

  • Pull a full inventory of internet-facing devices, including routers, cameras, NAS, building automation controllers, and smart office sensors
  • Check each device against vendor end-of-life schedules; devices past EOL should be prioritized for replacement
  • Audit which devices have direct internet exposure and remove it where it is not operationally required
  • Review network segmentation to confirm that IoT and OT devices cannot reach enterprise systems without going through controlled chokepoints
  • Enable logging on edge devices and route those logs to a SIEM or log aggregation system where behavioral anomalies can be detected

Medium-term actions:

  • Establish a firmware update policy that covers IoT and network edge devices, with defined cadences and accountability
  • Implement network flow monitoring that can detect anomalous outbound traffic from device segments
  • Brief facilities and IT leadership jointly — building management and IT teams often manage different portions of smart office infrastructure without coordinating on security posture

The advisory is not a warning about a hypothetical future threat. Volt Typhoon and Flax Typhoon have been operating in this manner for years. The April 2026 disclosure reflects intelligence agencies’ assessment that the threat has become sufficiently pervasive that organizations outside the traditional critical infrastructure sectors need to treat it as a direct operational concern.

Your network edge is the front line. Act accordingly.

This article is provided for informational purposes only and does not constitute legal advice.